Method and Apparatus for Route Optimization in a Telecommunication Network

ABSTRACT

A method and apparatus for controlling the routing of a data packet sent from a first node towards a second node of a telecommunication network. The first node is a mobile node having an associated home network. An access router intercepts the data packet and determines whether the packet relates to a first mode of communication between the first and second nodes in which data packets generally bypass a home agent associated with the first node&#39;s home network. In a second mode of communication, home agent packets generally passed through the home agent. The access router drops the packet if the packet relates to the first mode of communication and if dropping the packet is determined to be in accordance with a pre-determined routing policy.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The current invention relates to routing of traffic in atelecommunication network. It has particular relevance to traffic from amobile node in an IP-based mobile telecommunication network.

2. Description of the Related Art

When the Internet was originally devised, hosts were fixed in locationand there was implicit trust between users despite the lack of realsecurity or host identification protocols, and this situation continuedeven upon wider uptake and use of the technology. There was little needto consider techniques for dealing with host mobility since computerswere relatively bulky and immobile.

With the revolution in telecommunications and computer industry in theearly 1990's, smaller communication equipment and computers became morewidely available and the invention of the World Wide Web, and all theservices that emerged with it, finally made the Internet attractive forthe average person. The combination of increasing usage of the networkand mobile telecommunications created the need for secure mobilitymanagement in the Internet.

Taking into account the above mobility management, the Mobile IPstandard (C. Perkins, “IP Mobility Support for IPv4”, RFC 3220, IETF,2002) and the Mobile IPv6 standard (D. Johnson, C. Perkins, J. Arkko,“Mobility Support in IPv6”, RFC3775, IETF, 2004) have been introduced.Together these specifications are planned to provide mobility supportfor the next generation Internet.

An IP address describes a topological location of a node in the network.The IP address is used to route the packet from the source node to thedestination. At the same time the IP address is generally also used toidentify the node, providing two different functions in one entity. Thiscan be considered to be akin to a person responding with their homeaddress when asked who they are. When mobility is also considered, thesituation becomes even more complicated: since IP addresses act as hostidentifiers in this scheme, they must not be changed; however, since IPaddresses also describe topological locations, they must necessarilychange when a host changes its location in the network.

With Mobile IP, the solution is to use a fixed home location providing a“home address” for the node. The home address both identifies the nodeand provides a stable location for it when it is at home. The currentlocation information is available in the form of a care-of address,which is used for routing purposes when the node is away from home.

Cellular networks provide roaming capabilities, where visited networksprovide connectivity to roaming users. The traffic of roaming users maybe tunneled back to the home network or it may leave or be terminated inthe visited network. Possible reasons for using home tunneling include:the ability to charge at home; enabling policy control at home; having amobility anchor at home; providing location privacy; and allowing forthe possibility that servers providing user service are in the homenetwork. Possible reasons for local breakout include: optimal routing;shorter (and hence cheaper) access to the Internet; and access toservices provided locally in the visited network.

The following two mechanisms for providing home tunneling and optimalrouting (local breakout) dynamically while being reachable at the sameIP address are known:

-   -   IP2, where route optimization is entirely network centric.    -   The Mobile IP standard, as mentioned above, where Mobile Nodes        (MN) themselves send location update messages (Binding Updates,        BU) to Correspondent Nodes (CN). Then Correspondent Nodes direct        their traffic to the current location of the MN.

While IP2 allows full control for the network to decide routing(including home tunneling or route optimization), it is a complex systemrequiring IP2 to be implemented at to the visited and home networks andalso in the network of the CN. Its complexity makes it unsuitable for anumber of purposes.

Another form of route optimization (albeit a less powerful one) is theuse of a locally-assigned IP address for communication by the MN insteadof the home address. In this case, no specific mechanisms are needed toensure direct routing between the CN and the MN; however, the transportsession may break if the MN moves away. The MN may choose to initiatecommunication using a locally-assigned address at its own discretion.

The Mobile IP standard will now be described in more detail withreference to FIGS. 1 and 2 of the accompanying drawings.

Mobile IP is a mechanism for maintaining transparent networkconnectivity to and from a Mobile Node (MN), such as a mobile terminalor telephone over an IP based network. Mobile IP enables a Mobile Nodeto be addressed by the IP address it uses in its home network (HomeAddress), regardless of the network to which it is currently physicallyattached. Therefore, ongoing network connections to and from a MobileNode can be maintained even as the Mobile Node is moving from one subnetto the other. Mobile IP can be implemented using IP protocol version 4,IPv4 or IP protocol version 6, IPv6. IPv6 is generally preferred as IPv4has a number of limitations in a mobile environment. The IPv6 protocolas such is specified in RFC 2460.

In Mobile IPv6, each mobile node is always identified by its HomeAddress. While away from its home IP subnet (Home Subnet) a Mobile Nodeis also associated with a Care-of Address which indicates the MobileNode's current location. The association of the Mobile Node's HomeAddress and the Care-of Address is known as Binding. A router in theHome Subnet, known as the Home Agent, maintains a record of the currentBinding of the Mobile Node. The Mobile Node can acquire its Care-ofAddress through conventional IPv6 mechanisms called auto-configurationat the visited (or foreign) IP subnet.

Any node with which a Mobile Node is communicating is referred to as aCorrespondent Node. The Correspondent Node could itself be either mobileor stationary.

There are two possible modes for communications between the Mobile Nodeand the Correspondent Node. The first mode, bidirectional tunnelingto/from the Home Agent, does not require Mobile IPv6 support from theCorrespondent Node and is available even if the Mobile Node has notregistered its current Binding with the Correspondent Node. The firstmode is illustrated in FIG. 1. IP packets from the Correspondent Nodeare routed to the Home Agent and then tunneled to the Mobile Node.Packets to the Correspondent Node are tunneled from the Mobile Node tothe Home Agent (“reverse tunneled”) and then routed normally from theHome Network to the Correspondent Node. In this mode, the Home Agentintercepts any IPv6 packets addressed to the Mobile Node's Home Addressand each intercepted packet is tunneled to the Mobile Node's primaryCare-of Address. This tunneling is performed using IPv6 encapsulation.

The second mode, referred to as ‘route optimization’, requires theMobile Node to register its current binding at the Correspondent Node.The second mode is illustrated in FIG. 2. Packets from the CorrespondentNode can be routed directly to the Care-of Address of the Mobile Node.When sending a packet to an IPv6 destination, the Correspondent Nodechecks its cached bindings for an entry for the packet's destinationaddress. If a cached binding for this destination address is found, thenode uses a new type of IPv6 routing header to route the packet to theMobile Node by way of the Care-of Address indicated in this binding.

In this regard, a routing header may be present as an IPv6 headerextension, and indicates that the payload has to be delivered to adestination socket in some way that is different from what would becarried out by standard receiver host processing. Mobile IPv6 defines anew routing header variant, the type 2 routing header, to allow thepacket to be routed directly from a correspondent to the mobile node'scare-of address. Use of the term “routing header” typically refers touse of a type 2 routing header. The mobile node's care-of address isinserted into the IPv6 Destination Address field. Once the packetarrives at the care-of address, the mobile node extracts the finaldestination address (equal to its home address) from the routing header,and delivers the packet to the appropriate socket as if the packet wereaddressed to the extracted address.

The new routing header uses a different type than defined for “regular”IPv6 source routing, enabling firewalls to apply different rules tosource routed packets than to Mobile IPv6. This routing header type(type 2) is restricted to carry only one IPv6 address and can only beprocessed by the final destination and not intermediate routers.

All IPv6 nodes which process this routing header must verify that theaddress contained within is the node's own home address in order toprevent packets from being forwarded outside the node. The IP addresscontained in the routing header, since it is the mobile node's homeaddress, must be a unicast routable address.

Furthermore, if the scope of the home address is smaller than the scopeof the care-of address, the mobile node must discard the packet.

With route optimization, the Mobile Node registers its current bindingat the Correspondent Node using a Binding Update message sent from theMobile Node to the Correspondent Node (which the Correspondent Nodeacknowledges with a Binding Update Acknowledgement message). The BindingUpdate message contains as its destination address the address of theCorrespondent Node. The source address of the message is the Care-ofAddress of the Mobile Node, whilst the home address of the Mobile Nodeis contained within a home address field of the message header. Routeoptimisation requires the inclusion of a routing header (a type 2routing header) in the packet headers, indicating that the packets mustbe dealt with in a special way.

In order to enhance security of the Optimised Routing process, a“proof-of-address” mechanism may be employed. One such mechanismrequires that, prior to issuing a (first) Binding Update message, aroaming Mobile Node send to a Correspondent Node a first message (HoTI)to the Correspondent Node employing route optimisation and a secondmessage (CoTI) not employing route optimisation. The second messagetravels via the Home Agent whilst the second does not. The CorrespondentNode replies to the first message with a first part of a random numbergenerated by the Correspondent Node, and replies to the second messagewith a second part of the random number. The Mobile Node will onlyreceive both parts of the random number if it has given both a validCare-of Address and a valid Home Address. When the Binding Update issubsequently sent to the Correspondent Node, the Mobile Node includesboth parts of the random number in the message to prove ownership of theCare-of and Home Addresses.

Once implemented, Route Optimisation allows the Mobile Node to sendpackets directly to the Correspondent Node. The Care-of Address isincluded as the source address in these “outgoing” packets. This is doneby the Mobile IP protocol layer at the Mobile Node, which replaces thehome address with the Care-of Address as the source address in outgoingpackets. The Home Address is included in a further header field. TheMobile IP protocol layer at the Correspondent Node screens incomingmails by comparing the source addresses of the packets with Care-ofAddresses held in its binding cache. If a match is found, the Care-ofAddress is replaced with the corresponding Home address, in the sourceaddress field, before passing the message to higher layers. Transitthrough the home network is thus avoided.

Considering the reverse direction, packets from the Correspondent Nodecan be routed directly to the Care-of Address of the Mobile Node. Whensending a packet to an IPv6 destination, the Correspondent Node checksits cached bindings for an entry for the packet's destination address.If a cached binding for this destination address is found, the nodesubstitutes the destination address for the corresponding Care-ofAddress, whilst including the destination address (i.e. the Homeaddress) in a further header field. Upon receipt of a packet at theMobile Node, the Mobile IP protocol layer replaces the Care-of Addressin the destination field with the home address of the Mobile Node. Thepacket is then passed to higher protocol layers. Again, transit throughthe home network is avoided.

Routing packets directly to the Mobile Node's Care-of Address with‘route optimization’ allows the shortest communications path to be used.It also eliminates congestion at the Mobile Node's Home Agent. Inaddition, the impact of any possible failure of the Home Agent ornetworks on the path to or from it is reduced.

However, the possibility of ‘route optimization’ that MIPv6 providesleads to a very terminal centric solution, as the establishment of homeaddress to care-of address bindings in the correspondent node isdecided, initiated and executed by the mobile node itself. This does notallow network operators to influence whether traffic is tunneled home orrouted locally. For example, home networks have no influence if aparticular piece of traffic is route via them or not. This is true evenif the visited network fully co-operates with the home network in thisregard. The simple use of a local IP address is also decided by theterminal. If (home) network control of route optimization is requested,the use of local addresses needs to be controlled too.

It is desirable to address the above-mentioned issues concerning theexisting approaches.

SUMMARY OF THE INVENTION

According to a first aspect of the present invention there is provided amethod of controlling the routing of data packets sent from a first nodetowards a second node of a telecommunication network, the first nodebeing a mobile node having an associated home network, and the methodcomprising: intercepting such a data packet; determining if the packetrelates to a first mode of communication between the first and secondnodes in which data packets generally bypass a home agent associatedwith the first node's home network, through which home agent packetswould generally pass in a second mode of communication between the firstand second nodes different to the first mode; and dropping the packet ifit is so determined and if dropping of the packet is determined to be inaccordance with a predetermined routing policy.

The method may comprise determining whether the dropping of the packetis in accordance with the routing policy in dependence on the packet'sdestination address.

The destination address may be one of a home address and a care-ofaddress.

The method may comprise determining whether the dropping of the packetis in accordance with the routing policy in dependence on the packet'ssource address.

The method may comprise determining that the packet should be dropped ifthe packet's source address is a local address, unless the delivery ofsuch a packet is allowed by the routing policy according to the packet'sdestination address.

The method may comprise determining whether the dropping of the packetis in accordance with the routing policy in dependence on a routingheader in the packet.

The method may comprise determining that the packet relates to the firstmode of communication if it relates to a control message associated withthe first mode.

The first mode of communication may be a route optimization mode of theMobile IP standard and the second mode may be a bidirectional tunnelingmode of the Mobile IP standard.

Control messages associated with the first mode may comprise at leastone type of IPv6 mobility message.

Control messages associated with the first mode may comprise at leastone of the following types of message: a Binding Update message; a HomeTest Init Message; and a Care-of Test Init message.

The method may comprise determining whether the packet relates to thefirst mode of communication in dependence on at least one of thepacket's source and destination address.

The second node may be a stationary node.

The method may further comprise sending an error message to the firstnode if the packet is dropped.

The error message may be an ICMP Administratively prohibited message.

The routing policy may specify at least one IP address range, therouting policy specifying for the or each range whether a packet havinga source address that falls within that range is to be dropped orallowed.

The routing policy may specify at least one IP address range, therouting policy specifying for the or each range whether a packet havinga destination address that falls within that range is to be dropped orallowed.

The telecommunication network may be an IP based telecommunicationnetwork.

The IP network may be based on at least one of the IP protocols IPv4 andIPv6.

The method may comprise intercepting the packet in a visited network ifthe first node has roamed outside of its home network into the visitednetwork, else intercepting the packet in the home network.

The routing policy may be stored in the network entity that interceptsthe packet.

The method may comprise performing the steps in an Access Router.

The method may comprise managing the routing policy from a remotelocation.

The method may comprise managing the routing policy remotely viamanagement signalling.

The management signalling may use any of the Diameter or COPS protocols.

According to a second aspect of the present invention there is providedan apparatus for controlling the routing of data packets sent from afirst node towards a second node of a telecommunication network, thefirst node being a mobile node having an associated home network, andthe apparatus comprising: means for intercepting such a data packet;means for determining if the packet relates to a first mode ofcommunication between the first and second nodes in which data packetsgenerally bypass a home agent associated with the first node's homenetwork, through which home agent packets would generally pass in asecond mode of communication between the first and second nodesdifferent to the first mode; and means for dropping the packet if it isso determined and if dropping of the packet is determined to be inaccordance with a predetermined routing policy.

According to a third aspect of the present invention there is provided amethod of controlling the sending of data packets from a first nodetowards a second node of a telecommunication network, the first nodebeing a mobile node having an associated home network, and the methodcomprising: not sending such a packet if it would relate to a first modeof communication between the first and second nodes in which datapackets generally bypass a home agent associated with the first node'shome network, through which home agent packets would generally pass in asecond mode of communication between the first and second nodesdifferent to the first mode, unless the sending of such a packet isdetermined to be in accordance with a predetermined routing policy.

The method may comprise determining whether the sending of such a packetis in accordance with the routing policy in dependence on the packet'sdestination address.

The method may comprise determining whether the sending of such a packetis in accordance with the routing policy in dependence on the packet'ssource address.

The method may comprise determining that such a packet would relate tothe first mode of communication if it is a control message associatedwith the first mode.

The method may comprise managing the routing policy in dependence onerror messages received in response to the previous sending of suchpackets, the error messages indicating that the packets have beendropped.

The routing policy may specify at least one IP address range, therouting policy specifying for the or each range whether a packet havinga destination address that falls within that range is allowed to besent.

According to a fourth aspect of the present invention there is providedan apparatus for controlling the sending of data packets from a firstnode towards a second node of a telecommunication network, the firstnode being a mobile node having an associated home network, and theapparatus comprising: means for preventing the sending of such a packetif it would relate to a first mode of communication between the firstand second nodes in which data packets generally bypass a home agentassociated with the first node's home network, through which home agentpackets would generally pass in a second mode of communication betweenthe first and second nodes different to the first mode, unless thesending of such a packet is determined to be in accordance with apredetermined routing policy.

According to a fifth aspect of the present invention there is providedan operating program which, when run on an apparatus, causes theapparatus to carry out a method according to the first or third aspectof the present invention.

According to a sixth aspect of the present invention there is providedan operating program which, when loaded into an apparatus, causes theapparatus to become apparatus according to the second or fourth aspectof the present invention.

The operating program may be carried on a carrier medium. The carriermedium may be a transmission medium. The carrier medium may be a storagemedium.

As described above, a problem with the ‘route optimization’ option ofthe Mobile IP standard is that the Mobile Node's home network has littlecontrol over the routing of the traffic flow between the Mobile Node andthe Correspondent Node. The bidirectional tunneling option, on the otherhand, allows the home network to control functions such as charging,policies, user services etc related to ‘its’ Mobile Node.

An embodiment of the present invention retains the benefits of the known‘route optimization’ method, whilst addressing the above problemrelating to the lack of control for the home network.

An embodiment of the present invention relates to a policing functionand a policing device that can be controlled from a remote location(such as, for example, the home network). By using this policingfunction, optimized routing can be controlled and restricted for certaindestinations. The policing function and device can be implemented in anAccess Router (AR) or in the Mobile Node or a combination of these.

To manage the lists from a remote location, a management protocol isused.

In this way, the home network is able to exercise more control over howor whether a terminal does route optimization (the Visited Network or athird party policy repository may also exercise this control;additionally, a combination of home and visited network policies is alsopossible). To this end, various solutions are presented below.

One element may be a policing unit in the MN's Access Router (AR, orother access node), which checks BU messages sent by MN's and/or userdata packets. It is able to reject those messages and/or traffic if theMN is not entitled to perform route optimization towards that particularCN.

An embodiment of the present invention thereby enables network operatorsof the home network to have more control of the routing of ‘its’ mobilenode. An embodiment of the present invention also arrives at the sametechnical result as more complex solutions previously known.

An embodiment of the present invention provides a method of controllingthe flow of IP packets between a Mobile Node and Correspondent Nodesover an IP network, where the Mobile Node has a subscription to a homenetwork and is currently attached to a different, visited network, themethod comprising: installing flow control policies at the Mobile Nodeand/or at an access router of the visited network, from the homenetwork, these policies identifying IP addresses which the Mobile Nodemay communicate with out having to route packets via the home network;and at the Mobile Node and/or at the access router, rejecting at leastcertain packets sent directly to prohibited IP addresses.

An advantage of an embodiment of the invention is that the solution maybe used by an operator of the home network to provide more control ofthe routing of traffic associated with its mobile nodes.

The allowed IP addresses of the flow control policies may be defined byone or both of a set of allowed IP addresses and a set of prohibited IPaddresses. A set of addresses may be specified as one or more addressranges.

In an embodiment of the present invention, said flow control policiescause the Mobile Node and/or the access router to intercept packetsassociated with a route optimisation procedure as defined for Mobile IP.Only packets relating to a Binding process may be intercepted, e.g. aBinding Update message or a HoTI/CoTI message, and their destinationaddresses subjected to comparison with allowed or denied addresses.

The method comprises comparing the destination address of a packet atthe Mobile Node or access router against IP addresses identified by thepolicies. Additionally, where the packet contains a type 2 RoutingHeader according to Mobile IP, the method may comprise comparing thetype 2 Routing Header address against IP addresses identified by thepolicies, the message being rejected either the destination address orthe type 2 Routing Header address is disallowed.

The flow control policies may comprise a rule disallowing the sending ofpackets from the Mobile Node and which have a local address of thevisited network as source address. This may be used to prevent theMobile Node setting up direct, i.e. non-Mobile IP based, sessions with aCorrespondent Node.

In an embodiment of the invention, said flow control policies areinstalled at the access router. In the event that a packet is rejectedby the access router on the basis of the policies, a notification may besent to the Mobile Node. The Mobile Node may record this fact to preventsubsequent retries at sending the same packet. The Mobile Node mayrecord the error message to prevent subsequent attempts to communicatedirectly or perform route optimisation with the same Correspondent Node.

The policing function and device can be implemented in an Access Router(AR) or in the Mobile Node.

To manage the lists from a remote location, a management protocol isused.

In the case of a 3GPP architecture, said access router may be a GPRSGateway Support Node (GGSN), in which case the policies are installed inthe GGSN via a Policy Charging Rules Function (PCRF) of the visitednetwork.

In an embodiment of the invention, the home network may deliver generalpolicy statements to the visited network, the visited networktranslating these statements into explicit IP addresses or addressranges.

The visited network may install its own policies into the access routerand/or Mobile Node in addition to those installed by the home network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1, discussed hereinbefore, illustrates the bidirectional tunnelingmode of Mobile IP;

FIG. 2, also discussed hereinbefore, illustrates the route optimizationmode of Mobile IP;

FIG. 3 is a block diagram showing an Access Router according to anembodiment of the present invention; and

FIG. 4 is a block diagram showing a Mobile Node according to anembodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

An embodiment of the present invention proposes extensions to the MobileNode and/or in one or more of the Access Routers described above withreference to FIGS. 1 and 2.

Before specific embodiments of the present invention are described withreference to FIGS. 3 and 4, an overview of techniques embodying thepresent invention will first be provided.

It is desirable to provide a network operator with an option to forcetraffic travelling between a roaming Mobile Node (“owned” by the networkoperator) and a Correspondent Node through the home network. There are anumber of reasons why such home network routing may be desirable, bothfrom the operator's point of view and from the user point of view, forexample to facilitate legal interception of voice calls within the homenetwork.

Two general approaches to providing the necessary control are presentedhere. The first approach relies upon policy enforcement at accessrouters within a visited network. The other approach relies upon policyenforcement at the Mobile Node.

Policy Enforcement at the Access Router

This approach relies upon the provision at an access router of anallowed and/or disallowed set of IP addresses, typically in the form ofaddress ranges. For example, an allowed range of address may be IPaddresses belonging to the home network and/or to the visited network.The list(s) is(are) contained in a subscriber profile downloaded by theaccess router at registration of a subscriber. In the case of 3GPP, thisprofile is obtained from the subscriber's home network (HSS) by a PolicyCharging Rules Function (PCRF) which installs the profile into theaccess router (in this case a GPRS Gateway Support Node or GGSN).Packets received at the access router from a visiting Mobile Node arescreened to identify packets which relate to Route Optimisation: inparticular, Binding Update messages (and/or HoTO and CoTI messages whereemployed) are intercepted by the access router. When such packets areidentified, the destination address of the packet is compared againstthe IP addresses contained in the allowed and/or denied lists.

In the event that a destination address is an allowed address, themessage is allowed to proceed through the access router. On the otherhand, if the address is not allowed, the access router will drop themessage and respond to the Mobile Node with an error message, e.g. anInternet Control Message Protocol (ICMP) message. Upon receipt of theerror message, the Mobile Node may drop repeat attempts to implementroute optimisation with the same Correspondent Node. Indeed, the MobileNode may include functionality that places a flag against CorrespondentNode addresses (e.g. in an address book) to indicate that routeoptimisation is disallowed for these Correspondent Nodes.

It is noted that the policy control function may check not only thedestination address field of the IP packet, but also any type 2 RoutingHeaders, as the Correspondent Node itself can be mobile. The policy mayallow or disallow packets to type 2 Routing Headers according to thesame lists defined for destination addresses (at the discretion of thehome network).

The above solution assumes that a Mobile Node will only attempt tocommunicate directly with a Correspondent Node using the routeoptimisation procedure. However, in some cases, a Mobile Node may try tocircumvent the solution, deliberately or not, by communicating directlywith a Correspondent Node without invoking Mobile IP, i.e. omitting theMobile IP header from packets and including the Care-of Address as thesource address and the address of the Correspondent Node as thedestination address. Of course, the resulting IP session would beterminated when the Mobile Node switches to a new access router, butthis may not be a problem for say web browsing where a new (Care-of) IPaddress is allocated for each web download.

A solution to this problem is to implement a policy at the access routerwhich rejects outgoing packets where the source address of the packetsis a local address (of the access router) and where the IP address ofthe Correspondent Node is disallowed for the Mobile Node. The accessrouter may check if there is a Home Address Destination option in theoutgoing packet. If so, then it is a packet sent using MIPv6 routeoptimisation. If not, then it is simply a packet sent from the localdestination. The policy list may include rules for either or both cases.

Alternatively the units of the AR can also govern the use of a local IPaddress by the MN for communication. That is, a second list can bemanaged in the AR and allow the MN to communicate toward CNs, which arepositively on the list using a local IP address as source address. Suchcommunication achieves optimal routing between CN and MN and, inaddition, it omits the overhead of MIPv6 route optimization (at theexpense of sessions breaking at handover).

Policy control may be based upon one or a combination of the approachesdescribed above.

Policy Enforcement at the Mobile Node

An alternative approach to policy enforcement is to implement theenforcement function at the Mobile Node as opposed to the access router.This might employ either or both of the approaches described above, i.e.the message type approach and the source address approach. Again, theallowed and/or denied lists may be managed by the home network using anexplicit Mobile Node to home network protocol. Policies may be pushed tothe Mobile Node, e.g. using the Short Messaging Service. Someanti-tampering functionality may be required at the Mobile Node toprevent users altering the policies defined by the home network.

Specific embodiments of the present invention will now described withreference to FIGS. 3 and 4.

FIG. 3 is a block diagram showing an Access Router 10 according to anembodiment of the present invention. The Access Router 10 comprises aBinding Update (BU) Checking Unit 12, a Traffic Checking Unit 14, a ListStorage Unit 16, and a List Managing Unit 18. The AR 10 here refers tothe AR in the visited network of the MN (or its home network if noroaming is involved); no changes would be required in the AR of the CN.

Both the Binding Update Checking Unit 12 and the Traffic Checking Unit14 have access to a list of IPv6 address ranges stored in the ListStorage Unit 16 that specify which CNs a particular MN is allowed toperform route optimization toward. Such a list can contain a combinationof allow/deny rules. The list may be managed from the home network,visited network, a combination of the two, or from an independent policyrepository, using the List Managing Unit 18 of the Access Router 10. Thelist items may refer to any or both of the local or home address of theCNs.

The Binding Update Checking Unit 12 captures each packet sent by a MNand checks if it formed as a BU message and/or a Home Test Init (HoTI)message and/or a Care-of Test Init (CoTI) message. If yes, and thedestination CN is not allowed according to the list in the List StorageUnit 16, the AR 10 drops the message and responds with an error message,such as an ICMP (Internet Control Message Protocol) Administrativelyprohibited (or other) message. Sending an error message is not requiredbut may enhance performance, as the MN will then drop the attempt forroute optimization without lengthy retries, if it understands the reply.

The Traffic Checking Unit 14 captures each packet sent to a CN anddiscards any packet that is sent to a CN with a local IP address as thesource address, unless the CN address is allowed by the list of IPv6addresses in the List Storage Unit 16. The unit 14 may check if there isa Home Address Destination option in the uplink packet. If so, then itis a packet sent using MIPv6 route optimization. If not, then it issimply a packet sent from the local destination. The policy list mayinclude rules for either or both cases.

The two units 12 and 14 can be used in conjunction, and may each haveseparate policy lists in the List Storage Unit 16. The units 12 and 14check not only the Destination Address field of the IP packet, but alsoany potential type 2 Routing Headers, as the CN itself might be mobiletoo. In case of a mobile CN, the policy of the list might be applied toboth the home and care-of address of the CN, at the discretion of theHome Network, for example.

With MIPv6 route optimization, applications use the home address of theMN, so that sockets are bound to that address in both the MN and CN.Additional mechanisms (MIPv6 route optimization) are used to stilldeliver the packets directly between the MN and CN (that is using theirlocal or care-of addresses).

Alternatively, the units 12 and 14 of the AR 10 can also govern the useof a local IP address by the MN for communication. That is, a furtherlist can be managed by the List Managing Unit 18 in the List StorageUnit 16 of the AR 10, and allow the MN to communicate toward CNs thatare positively on the further list, using a local IP address as sourceaddress. With the further list, the AR 10 looks for non-MIPv6 routeoptimization packets and checks the destination of those. Suchcommunication achieves optimal routing between CN and MN and, inaddition, omits the overhead of MIPv6 route optimization. Thisalternative is weaker, as sessions break on mobility, but is stillattractive; for example Web browsing may not need such mobility.

With an Access Router 10 as described above, an embodiment of thepresent invention does not require the MN to have any extensions overexisting Mobile Nodes; the MN will try to initiate route optimizationtowards CNs with which it frequently communicates, and will simply berejected if such is not allowed. However, a MN that does have extensionsover existing Mobile Nodes will now be described with reference to FIG.4; the MN of FIG. 4 can be used in conjunction with, or instead of, theextensions to the AR described above with reference to FIG. 3. Inparticular, the MN of FIG. 4 comprises a unit that decides on routeoptimization.

FIG. 4 is a block diagram showing a Mobile Node 30 according to anembodiment of the present invention. The mobile Node 30 comprises aRoute Optimization Decision Unit 32, a Message Checking Unit 34, a ListStorage Unit 36, a List Managing Unit 38 and a MIPv6 Unit 40.

The Route Optimization Decision Unit 32 has access to a list of IPv6address ranges stored in the List Storage Unit 36 similar to the listsdescribed above with reference to the Access Router 10 of FIG. 3,specifying which CNs the MN 30 is allowed to perform route optimizationtoward.

The following two methods of managing this list, using the List ManagingUnit 38, may apply; one or both of these methods can be active at anyone time:

First Method: the list in the List Storage Unit 36 is managed from thehome network, using the List Managing Unit 38 of the Mobile Node 30.With this method, the Route Optimization Decision Unit 32 of the MobileNode 30 will only cause route optimization to be initiated towards thoseCNs whose address is allowed by the list in the List Storage Unit 36. Anexplicit Home Network to MN protocol can be applied in this case.

Second Method: the list is managed by using the Message Checking Unit 34to intercept the ICMP (Internet Control Message Protocol)Administratively Prohibited messages, sent by the AR 10 in response toMIPv6 Route Optimization signalling messages as described above withreference to FIG. 3. The List Managing Unit 38 of the MN 30 would thenput the destination CN in question on the list (with prohibit flag)stored in the List Storage Unit 36, and this would prevent theOptimization Decision Unit 32 attempting to initiate route optimizationtowards those destinations using the MIPv6 Unit 40.

Alternatively, the Optimization Decision Unit 32 of the MN 30 can alsogovern the use of a local IP address for communication. That is, afurther list can be managed in the MN 30 and communication toward CNsthat are positively on the list can be then performed using a local IPaddress. Such communication achieves optimal routing between CN and MNand, in addition, omits the overhead of MIPv6 route optimization (at theexpense of possible session breaking at handover). This is alsodiscussed above in relation to FIG. 3.

Further details of how the home network can control routing in anembodiment of the present invention will now be described.

It is the home network that has a subscription with the user (of themobile node) to provide telecommunication services. In a roamingsituation, the visited network executes some of these services (orcomponents thereof) on behalf of the home network based on a roamingagreement between the home and visited network operators.

Since the home network is responsible to provide the service, it needscomplete control over how the service is delivered. Part of the benefitof an embodiment of the present invention derives from the possibilityfor the home network to control route optimization (i.e., one aspect ofservice delivery). Existing policy control nodes and interfaces (e.g.,of the 3GPP or TISPAN architectures, where TISPAN is the Telecoms &Internet converged Services & Protocols for Advanced Networks) can beextended to include route optimization control.

The actual list of Correspondent Node addresses towards which routeoptimization is permitted/denied can be assembled during a processcoordinated between the home and visited networks.

In the simplest case, the home network would send a list of IP addressranges for which to allow or deny route optimization, for example whenthe MN attaches to the visited network. (The home network would alsospecify for each item on the list whether that item is allowed or deniedas a local or home CN address).

The home network may also dynamically adjust the initial list, forexample when a particular service is instantiated and for example whenthe address of a serving network node becomes known.

The visited network can also play a part in composing the address list.In this case, the home network might send only a general description forparts of the list instead of specific IP address ranges. Such adescription could relate, for example, to particular services, usergroups situations and correspondent nodes. Examples include:

-   -   “Video servers in the visited network”. This example refers to a        pre-agreed set of servers in the visited network. It is the        responsibility of the visited network to substitute the correct        IP addresses. This method enables the visited network to change        the number and address of the servers in question without        notifying the home network.    -   “Public internet destinations”. In this case the IP address        range is assembled from the public Border Gateway Protocol (BGP)        advertisements heard by the visited network. This method        alleviates the need to communicate the (potentially long) list        of these address ranges.    -   “Local destinations”. This method may refer to all MNs currently        served by the visited network.

With an embodiment of the present invention, home networks are able tocontrol route optimization for their MN's traffic. The assistance of thevisited network is usually required and assumed.

The home network may execute various policies, such as:

-   -   All traffic of the user must always be sent home.    -   All traffic of the user can be route optimized.    -   All traffic of the user can be route optimized except for the        ones sent to the home service network or any affiliated third        party service networks.    -   Traffic that is to be lawfully intercepted at home can be denied        route optimization.    -   Traffic towards particular networks can be selectively allowed        or denied route optimization. For example, if the given network        has better or guaranteed connectivity through the home network,        traffic to it may be denied route optimization.    -   Traffic towards (a portion of) the visited network's service        network can be allowed route optimization, for example based on        a service delivery agreement between the home and visited        networks, which specifies that the visited network provides        certain resources to provide the service in question.

To manage the lists from a remote location, such as the home network,the visiting network, an independent policy repository or a combinationthereof, a management protocol is used. This protocol can be based onenhancements to known protocols such as the COPS (Common Open PolicyService) protocol (RFC 2748), the Diameter protocol (RFC3588, RFC4004)or it can also be an explicit new protocol. The most common situation isto manage the lists from the home network as it is the network operatorfor the home network that wants to control how the mobile node performsroute optimization.

It will be appreciated that operation of one or more of theabove-described components can be controlled by a program operating onthe device or apparatus. Such an operating program can be stored on acomputer-readable medium, or could, for example, be embodied in a signalsuch as a downloadable data signal provided from an Internet website.The appended claims are to be interpreted as covering an operatingprogram by itself, or as a record on a carrier, or as a signal, or inany other form.

1. A method of controlling the routing of a data packet sent from afirst node towards a second node of a telecommunication network, thefirst node being a mobile node having an associated home network, themethod comprising performing the following steps in an access router ofthe network: intercepting the data packet; determining if the packetrelates to a first mode of communication between the first and secondnodes in which data packets bypass a home agent associated with thefirst node's home network, through which home agent packets would passin a second mode of communication between the first and second nodesdifferent from the first mode; and dropping the packet if it isdetermined that the packet relates to the first mode and if dropping ofthe packet is determined to be in accordance with a predeterminedrouting policy.
 2. The method as claimed in claim 1, comprisingdetermining whether the dropping of the packet is in accordance with therouting policy based on the packet's destination address.
 3. The methodas claimed in claim 2, wherein the destination address is one of a homeaddress and a care-of address.
 4. The method as claimed in claim 1,comprising determining whether the dropping of the packet is inaccordance with the routing policy based on the packet's source address.5. The method as claimed in claim 2, further comprising: determiningwhether the dropping of the packet is in accordance with the routingpolicy based on the packet's source address; and determining that thepacket should be dropped if the packet's source address is a localaddress, unless the delivery of such a packet is allowed by the routingpolicy according to the packet's destination address.
 6. The method asclaimed in claim 1, comprising determining whether the dropping of thepacket is in accordance with the routing policy based on a routingheader in the packet.
 7. The method as claimed in claim 1, comprisingdetermining that the packet relates to the first mode of communicationif it relates to a control message associated with the first mode. 8.The method as claimed in claim 1, wherein the first mode ofcommunication is a route optimization mode of the Mobile IP standard andthe second mode is a bidirectional tunneling mode of the Mobile IPstandard.
 9. The method as claimed in claim 8, wherein the first mode ofcommunication is a route optimization mode of the Mobile IP standard andcontrol messages associated with the first mode comprise at least onetype of IPv6 mobility message.
 10. The method as claimed in claim 8,wherein the packet relates to the first mode of communication if itrelates to a control message associated with the first mode, and controlmessages associated with the first mode comprise at least one of thefollowing types of message: a Binding Update message; a Home Test InitMessage; and a Care-of Test Init message.
 11. The method as claimed inclaim 1, comprising determining whether the packet relates to the firstmode of communication based on at least one of the packet's source anddestination address.
 12. The method as claimed in claim 1, wherein thesecond node is a stationary node.
 13. The method as claimed in claim 1,further comprising sending an error message to the first node if thepacket is dropped.
 14. The method as claimed in claim 13, wherein theerror message is an ICMP Administratively prohibited message.
 15. Themethod as claimed in claim 1, wherein the routing policy specifies atleast one IP address range, the routing policy specifying for the oreach range whether a packet having a source address that falls withinthat range is to be dropped or allowed.
 16. The method as claimed inclaim 1, wherein the routing policy specifies at least one IP addressrange, the routing policy specifying for the or each range whether apacket having a destination address that falls within that range is tobe dropped or allowed.
 17. The method as claimed in claim 1, wherein thetelecommunication network is an IP based telecommunication network. 18.The method as claimed in claim 17, wherein the IP network is based on atleast one of the IP protocols IPv4 and IPv6.
 19. The method as claimedin claim 1, comprising intercepting the packet in a visited network ifthe first node has roamed outside of its home network into the visitednetwork, else intercepting the packet in the home network.
 20. Themethod as claimed in claim 1, wherein the routing policy is stored inthe access router.
 21. The method as claimed in claim 1, comprisingmanaging the routing policy from a remote location.
 22. The method asclaimed in claim 21, comprising managing the routing policy remotely viamanagement signaling.
 23. The method as claimed in claim 22, wherein themanagement signaling uses any of the Diameter or COPS protocols.
 24. Anaccess router for controlling the routing of a data packet sent from afirst node towards a second node of a telecommunication network, thefirst node being a mobile node having an associated home network, andthe access router comprising: means for intercepting the data packet;means for determining if the packet relates to a first mode ofcommunication between the first and second nodes in which data packetsbypass a home agent associated with the first node's home network,through which home agent packets would pass in a second mode ofcommunication between the first and second nodes different from thefirst mode; and means for dropping the packet if it is determined thatthe packet relates to the first mode and if dropping of the packet isdetermined to be in accordance with a predetermined routing policy. 25.A method of controlling the sending of a data packet from a first nodetowards a second node of a telecommunication network, the first nodebeing a mobile node having an associated home network, and the methodcomprising performing the following steps in the first node: determiningwhether the packet relates to a first mode of communication between thefirst and second nodes in which data packets bypass a home agentassociated with the first node's home network, through which home agentpackets would pass in a second mode of communication between the firstand second nodes different from the first mode; determining whether thesending of such a packet is determined to be in accordance with apredetermined routing policy; and preventing the sending of the packetif the packet relates to the first mode of communication, unless thesending of the packet is determined to be in accordance with thepredetermined routing policy.
 26. The method as claimed in claim 25,comprising determining whether the sending of such a packet is inaccordance with the routing policy based on the packet's destinationaddress.
 27. The method as claimed in claim 25, comprising determiningwhether the sending of such a packet is in accordance with the routingpolicy based on the packet's source address.
 28. The method as claimedin claim 25, comprising determining that such a packet relates to thefirst mode of communication if it is a control message associated withthe first mode.
 29. The method as claimed in claim 25, comprisingmanaging the routing policy based on error messages received in responseto the previous sending of such packets, the error messages indicatingthat the packets have been dropped.
 30. The method as claimed in claim25, wherein the routing policy specifies at least one IP address range,the routing policy specifying for the or each range whether a packethaving a destination address that falls within that range is allowed tobe sent.
 31. A mobile node comprising an apparatus for controlling thesending of a data packet from the mobile node towards a second node of atelecommunication network, the mobile node having an associated homenetwork, and comprising: means for preventing the sending of the packetif the packet relates to a first mode of communication between themobile node and second nodes, wherein in the first mode, data packetsbypass a home agent associated with the mobile node's home network, andwherein home agent packets pass through the home agent in a second modeof communication between the mobile node and second nodes different fromthe first mode; wherein the packet relating to the first mode ofcommunication is sent if the sending of the packet is determined to bein accordance with a predetermined routing policy.
 32. An operatingprogram loaded on a memory of a controller in a mobile node of atelecommunication network, said operating program comprising softwarecode portions for controlling the sending of a data packet from themobile node towards a second node of the telecommunication network, themobile node having an associated home network having an associated homeagent, said operating program performing the following steps when run ona processor of the controller: determining whether the packet relates toa first mode of communication between the mobile node and the secondnode in which data packets bypass the home agent associated with themobile node's home network; determining whether the sending of such apacket is determined to be in accordance with a predetermined routingpolicy; and preventing the sending of the packet if the packet relatesto the first mode of communication, unless the sending of the packet isdetermined to be in accordance with the predetermined routing policy.33-35. (canceled)
 36. An operating program loaded on a memory of anaccess router in a telecommunication network, said operating programcomprising software code portions for controlling the routing of a datapacket sent from a mobile node towards a second node of thetelecommunication network, the mobile node having an associated homenetwork having an associated home agent, said operating programperforming the following steps when run on a processor of the accessrouter: intercepting the data packet; determining if the packet relatesto a first mode of communication between the first and second nodes inwhich data packets bypass a home agent associated with the first node'shome network; and dropping the packet if it is determined that thepacket relates to the first mode and if dropping of the packet isdetermined to be in accordance with a predetermined routing policy.